should i use mutiple IP addresses?

Answered Question

I am going to have to setup an ASA 5505. I will have citrix and microsoft exchange sitting behind the ASA. should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc.

Thanks for any responses, Bill

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 6 months ago

Bill

No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.

212.17.10.0 255.255.255.240

Outside interface of ASA

212.17.10.2 255.255.255.240

Inside interface of ISP router

212.17.10.1 255.255.255.240

Then the rest of the addresses you can use as

static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255

where 192.168.5.1 is one of your internal servers.

The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.

Obviously you need to allow the traffic from the outside with an access-list.

Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.

Jon

Correct Answer by Richard Burts about 8 years 6 months ago

Bill

If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Richard Burts Tue, 05/20/2008 - 10:52

Bill

If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.

HTH

Rick

Correct Answer
Jon Marshall Tue, 05/20/2008 - 11:52

Bill

No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.

212.17.10.0 255.255.255.240

Outside interface of ASA

212.17.10.2 255.255.255.240

Inside interface of ISP router

212.17.10.1 255.255.255.240

Then the rest of the addresses you can use as

static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255

where 192.168.5.1 is one of your internal servers.

The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.

Obviously you need to allow the traffic from the outside with an access-list.

Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.

Jon

Richard Burts Tue, 05/20/2008 - 12:25

Jon

I think that perhaps we are trying to say the same thing from slightly different perspectives. In the original post the question was:

"should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc."

My response was that a single address with port forwarding was overly complex. That is essentially the same thing that you are saying. Your response is much more specific about doing the translations but still assumes that he will use a group of public addresses associated with the public interface.

HTH

Rick

Jon Marshall Tue, 05/20/2008 - 12:27

Rick

I agree that using individual addresses is the simplest approach.

It's one of those things where interpretation of the question comes in. I thought Bill was asking if all the public IP addresses that were allocated would actually need to be configured on the ASA outside interface which obviously isn't needed.

Jon

Richard Burts Tue, 05/20/2008 - 12:35

Jon

agreed that there is interpretation of the question which leads to different emphases. and certainly agreed that the outside interface needs only a single address configured.

HTH

Rick

Actions

This Discussion